-
simon.fraser@apple.com authored
Reviewed by Dan Bernstein, Darin Adler. Re-entrant layout via plug-ins may cause crashes with bad RenderWidgets https://bugs.webkit.org/show_bug.cgi?id=36675 <rdar://problem/7787617> Fix two places in the code where RenderWidgets can get destroyed while being iterated over. This can happen when plug-ins execute script from NPP_SetWindow, and that script makes a change to the page that destroys a RenderWidget. Tests: plugins/reentrant-update-widget-positions.html plugins/update-widgets-crash.html * page/FrameView.cpp: (WebCore::FrameView::updateWidgets): ref() the RenderEmbeddedObjects that are put into the vector before iterating of them, and deref() them at the end. Rather than checking the m_widgetUpdateSet to see if the RenderWidget is still live, test object->node(). * rendering/RenderView.cpp: (WebCore::RenderView::Rende...
9585cfdf